Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFO498 Information Security Fall 2004 Lesson 1 Barbara Endicott-Popovsky INFO498.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "INFO498 Information Security Fall 2004 Lesson 1 Barbara Endicott-Popovsky INFO498."— Presentation transcript:

1

2 INFO498 Information Security Fall 2004 Lesson 1 Barbara Endicott-Popovsky INFO498

3 Introductions and Overview of the Threat Spectrum

4 Theoretical Basis How should we think about security?…

5 Security Services Confidentiality Integrity Availability ƒ(context, needs, customs, laws)

6 CIA Implementation DefinitionToolsDependencies Confidentiality Concealment of info & resources Hide existence of info & resources Encryption Access control Reliance on system Assumptions & trust about reliance Integrity Trustworthiness of info & resources - Authentication Correctness of data - Data integrity Prevention - Block attempts - Unauth. actions Detection - Block attempts - Unauth. actions Assumptions about source Trust of source Availability Ability to use info & resources System design Statistical models of use Accuracy of statistical models ID anomalies

7 Security Design Threats Vulnerabilities Controls (Threats + Vulnerabilities  Controls)

8 Disclosure Unauthorized access to info Deception Acceptance of false data Disruption Interruptions/ prevention of correct action Usurpation Unauthorized control of system/part of system Snooping X Wiretapping X Modification/ Alteration XXX Man-in-the- middle XXX Masquerading/ spoofing XX Repudiation of origin X Denial of receipt X Delay SupportsX Denial of Service SupportsX Threats

9 Threat Spectrum

10 Vulnerabilities Software Engineering Traceability of requirements Design Programming Buffer overflow Compilers Networks Wi-Fi Anonymity Standards Others?

11 Controls Policies Statement of what is/ what is not allowed Document Algorithm Mathematical expression Mechanisms Method, tool, procedure for policy enforcement Technical Non-technical

12 Controls Software Engineering Applying disciplines Formal methods Programming Encryption Access control Networks Firewalls IDS Access control Others?

13 3 R Goals DefinitionTools Resistance Prevention Firewalls Authentication Recognition Detection IDS’s Internal integrity checks Recovery Assess & repair Essential services continue to function Incident response SNA analysis Active defense

14 Trusting Controls Each mechanism designed to implement policies Sum total of mechanisms implement all policy aspects Mechanisms are implemented correctly Mechanisms installed/administered correctly

15 Software Engineering to the Rescue! Information Assurance Develop detailed specifications of desired behavior Design conforms to specification Proofs that implementation produces desired behavior (procedures/maintenance) Requirements SpecificationDesignImplementation   Prove each line of code ?

16 Bottom line: You Will Never Own a Perfectly Secure System!!!

17 Operational View Looking at the practical issues…

18 What is “Security? Decide what “secure” means to you, Then identify the threats you care about. Virus Identity Theft Denial of Service Espionage Stolen Customer Data Modified Databases Cyberterrorism Equipment Theft Operational view

19 Costs: Solution Value of asset Potential losses Risks: Likelihood Potential impacts Balance Risk vs. Cost Operational view

20 Take into Account…. Laws and customs Organization issues Security-a non-earning asset Budget constraints Responsibility vs. power People issues Education & awareness Insider abuse Misuse Operational view

21 Current Concerns Dynamic nature of threats…

22 From CSI/FBI Report 2002 90% detected computer security breaches within the last year 80% acknowledged financial losses 44% were willing and/or able to quantify their financial losses. These 223 respondents reported $455M in financial losses. The most serious financial losses occurred through theft of proprietary information and financial fraud 26 respondents: $170M 25 respondents: $115M For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%). 34% reported the intrusions to law enforcement. (In 1996, only 16% acknowledged reporting intrusions to law enforcement.)

23 More from CSI/FBI 2002 40% detected external penetration 40% detected denial of service attacks. 78% detected employee abuse of Internet access privileges 85% percent detected computer viruses. 38% suffered unauthorized access or misuse on their Web sites within the last twelve months. 21% didn’t know. 12% reported theft of transaction information. 6% percent reported financial fraud (only 3% in 2000).

24 Legislation and Regulation Govt. Requirements for better security –HIPAA: Health Insurance Portability & Accountability Act –Sarbanes Oxley –US Patriot Act And more are coming….

25 Critical Infrastructure … gas and oil, telecommunications, water supply systems, emergency services, government services, electrical power systems, transportation, banking and finance.

26 Interdependence of Critical Infrastructure

27 Cyber Terrorism Internet Black Tigers’ successful DOS attack on Sri Lankan embassy servers Italian sympathizers of Mexican Zapatista rebels attacked Mexican bank web pages. Rise of “Hack-tivism” Freeh, Testimony before Senate, 2000.

28 Hacking Improvement High Technical Knowledge Required Sophistication of Hacker Tools Password Guessing Password Cracking Exploiting Known Vulnerabilities Disabling Audits TIME Self-Replicating Code Back Doors Hijacking Sessions Sweepers Sniffers Stealth Diagnotics DDOS Packet Forging & Spoofing New Internet Attacks

29 MALICIOUS CODE Backdoors Trojan Horses Bacterium Logic Bombs WormsVirus X Files

30 Warchalking, Wardriving, Warwalking, Originated in UK… Warchalking-- making series of chalk markings showing presence & vulnerabilities of wireless networks nearby. Ex: Circled "W" indicates WLAN protected by Wired Equivalent Privacy (WEP) Wardriving, Warwalking– driving/walking around with wireless notebook looking for unsecured wireless LANs.

31 Threats to Personal Privacy Buying / selling confidential Social Security info. Browsing IRS files. Buying / selling bank account name lists. E-commerce credit card #s, names, passwords House Ways and Means Committee, 102nd Congress, 1992. 10., Washington Post, S. Barr, 2 Aug. 1993 (4) Freeh, Testimoney 2000

32 Identity Theft Fed Trade Com: http://www.consumer.gov/idtheft/ http://www.consumer.gov/idtheft/ Cases under “recent”: –$7M loss: 12000 cr cards stolen from Florida restaurants –Credit card skimmers plus drivers license, Florida –Fake soc security & INS cards $150-$250 –24 aliases –false id’s secures credit cards, open mail boxes & bank accounts, fraudulently obtained federal income tax refunds, & laundered proceeds –Bank Employee Indicted for Stealing Depositors' Information to Apply Over the Internet for LoansBank Employee Indicted for Stealing Depositors' Information to Apply Over the Internet for Loans

Download ppt "INFO498 Information Security Fall 2004 Lesson 1 Barbara Endicott-Popovsky INFO498."

Similar presentations

September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.

September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.

Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.

7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works

Security Controls – What Works
1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.

1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
22 November 2010. Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when.

22 November Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
6/9/2015Madhumita. Chatterjee1 Overview of Computer Security.

6/9/2015Madhumita. Chatterjee1 Overview of Computer Security.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.

Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
CS 5950/6030 Network Security Class 3 (W, 9/7/05) Leszek Lilien Department of Computer Science Western Michigan University [Using some slides prepared.

CS 5950/6030 Network Security Class 3 (W, 9/7/05) Leszek Lilien Department of Computer Science Western Michigan University [Using some slides prepared.

Similar presentations

Ads by Google